Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Domain Local and local Group

slyaii

Posted 20 April 2007 - 03:25 PM

slyaii

Member

Member

25 posts

I wanted to put this in a windows server 2003 forum, but couldn't find one.

What is the difference between domain local and computer local group. what i am trying to get here is...what happend to end users if you place them in the power user on your local and domain local group?

0

Advertisements

cheyenne 09

Posted 24 April 2007 - 04:19 AM

cheyenne 09

Member 1K

Member

1,258 posts

Hi slyaii
The basic answer is it's where the accounts are kept. The Domain user's are Entered into the Domain user's Controller and Object's in the Active Directory. The Operating Systems that can Support Domains such as Windows 2001 or Windows XP Professional and then can log into the Domain and Allow all the User's Desktop Access and then Access to the Network Resources Available then these Users can be centrally managed at the Server. I hope this Helps Answer your Question. Good Luck

dsenette

Posted 24 April 2007 - 07:36 AM

dsenette

Je suis Napoléon!

Administrator

26,036 posts

good answer!

it's all about authentication...and where that authentication occurs...if you authenticate to the PC...then the PC holds all your information about what you can and cannot access....which basically would be things on that computer...if you authenticate to your domain (i.e. your domain controller) then the domain holds all your authentication information...thereby allowing you to configure permissions domain wide etc... instead of having to go to each pc and tell it that you're ok to log in there....

in a domain structure...adding domain users to the local groups can sometimes be effective...i have certain software that WILL NOT run unless the domain user is in the power users group on the local machine...for example

slyaii

Posted 25 April 2007 - 11:27 AM

slyaii

Member

Topic Starter

Member

25 posts

Do you know a lot about administering groups? I am asking because I have users and global security groups that I do not understand well enough. I want to do this right…What I understand so far…within Active Directory and computers, we have users and security groups. Users can access the domain and security groups are what resources are granted. Within security group, we have something call global security which enables members from only local domain to access resources in any domain. Then there is domain local group, which members can come from any domain and access resources only in local domain.

Proper way to organize users is to: Add users to Global Groups then to Domain Local Group. What I have here is:

Users: A,B,C,D

Global Security Groups: Sales, Accounting, HR.

*do I create within Security Groups, another set of Domain Local Groups which has:

Domain Local Groups: Sales, Accounting, HR ???

Then place Users (A,B,C,D) into these Global Security Groups (Sales, Accounting, HR) and then into Domain Local Group that includes Global Security Groups respectively?

Assigning Domain Local Groups to resources (folders within the servers) and assign permission…

What about Local Users and Groups in Computer Management that is located in local computer and non Domain Controller? What do I do with them???

I took administrative rights and power user rights from local computer (end users). I then went on to remove any administrative rights to any users and did the same on power users on servers that are non DC (domain controller).

dsenette

Posted 25 April 2007 - 11:34 AM

dsenette

Je suis Napoléon!

Administrator

26,036 posts

you're a little mixed up...the global groups will allow you to assign permissions to users...and allow those permisions to cross over to different domains within your organization....domain local groups CANNOT cross domains (i.e. i have domain A and domain B....the accounting Dept in domain A needs access to the accounting dept in domain B...i would make a global group in domain A named DOMA-Acct...then on the accounting Dept folder in domain B i would assign read permissions to DOMA-Acct group...thus giving them access)

if you make a global group..you do not have to make a domain local group for the same users...either will function the same as far as your local domain is concerened

What about Local Users and Groups in Computer Management that is located in local computer and non Domain Controller? What do I do with them???

if you have a domain set up...then you do not need local users at all (except the admin)

slyaii

Posted 25 April 2007 - 12:20 PM

slyaii

Member

Topic Starter

Member

25 posts

dsenette, would this strategy gives you the most flexibility for growth and reduces permissions assignments?

1) Assign users with common job responsbilites to global groups2) Create a domain local group for resources to be shared3) Add global groups who need access to the resources to the domain local group4) Assign resource permissions to the domain local group

(1)sales person >> (3)sales global group of Domain A >> (2)Accounting Domain Local Group ................................................................<< (4) Permission to access Accounting in Domain A

Some of the possible limitations of other strategies include the following.

Placing user accounts in domain local groups and assigning permissions to the domain local groups This strategy does not allow you to assign permissions for resources outside of the domain. This strategy reduces the flexibility when your network grows

Placing user accounts in global gorups and assigning permissions to the global groups This strategy can complicate administration when you are using multiple domains. If global groups from multiple domains require the same permissions, you have to assign permissions for each global group.

slyaii

Posted 26 April 2007 - 10:06 AM

slyaii

Member

Topic Starter

Member

25 posts

I don't like to be confused either. Just want to do the right thing now so that later on, I won't be so stress out. I have so much to do and if I can make things easier on myself, it will help out in the long run. do you have a site that has a lot of server 2003 forum topics?

dsenette

Posted 26 April 2007 - 10:09 AM

slyaii

Posted 26 April 2007 - 11:05 AM

slyaii

Member

Topic Starter

Member

25 posts

this group thing is stalling me...I want to get an answer for it. in my active directory, all i have are global security. I place users into these global security respectively of course and just assign them to folder that need access. However, other IT before me, did a mix of things. Say you have a folder call Sales. Within Sales you have a global group call Sales.

Sales Folder<< Global Group Sales << Users

however, in the security tab of Sales' Folder, we have the Global Group Sales and additional users that are not in Sales. This is just one folder, seems like a lot that I have to fix up.

What is your recommendation? yes, i am new.

only place global security group in Sales' Folder and not individual user.....

now....what to do with the domain local issue...just forget about it? you are not using it...i guess for most, it should be fine.

0

Advertisements

dsenette

Posted 26 April 2007 - 11:11 AM

dsenette

Je suis Napoléon!

Administrator

26,036 posts

if the individual users are not members of the sales group, but need access to the sales folder...then that's probably why they have individual permissions to the folder....such as administartive assistance...who need access but aren't in sales....

you could rectify this by making another group called "sales access" that would allow you to add users to that group that aren't in sales but need access to the sales folder...and set the permissions accordingly...

the worst thing is coming into a network that you didn't build...things are always crazy....what i would suggest you do is find out who these users are...what department they're in...and why they have access to the sales folder...that way you can decide why they have individual permissions...and assign things accordingly

it's best practice NOT to assign permissions to users...only groups (unless it's a single user and there's never a chance of there being more users that need these permissions)

dsenette

Posted 26 April 2007 - 02:45 PM

dsenette

Je suis Napoléon!

Administrator

26,036 posts

well....the DC (domain controller) technically only sees those numbers....when the administrator logs on...it doesn't see "administrator has logged on" it sees "s-1-5-21-1152-x-x-x-x-xwhatever" each of those numbers is 100% unique on your domain...so much so that if you delete a user and recreate it after the user has truly been purged from AD...that new user...even though it has the same username...will have a different SID...and won't have the same access as the old user....sometimes if you see the numbers instead of the name...it's because the user doesn't exist anymore...but not all of it got cleared...and sometimes...it's...well it's just a windows glitch from my experience sometimes with no explanation